nalarix.id

Security Policy — Nalarix

Reporting a Vulnerability

We take security seriously. If you discover a vulnerability in Nalarix (nalarix.id), please report it responsibly before public disclosure.

Contact: firyanainunus@gmail.com Subject line: [Security] <short description> PGP: not yet available; plain email is acceptable. For sensitive details, request encrypted channel setup via same email first.

What to Include

  • Vulnerability description (what, where, impact)
  • Reproduction steps (minimum viable)
  • Affected version / commit hash if known
  • Your preferred attribution (name, handle, or anonymous)

Our Commitment

  • Acknowledgement within 48 hours (business days, Asia/Jakarta)
  • Initial assessment within 7 days (triage + severity)
  • Coordinated disclosure: we ask for 90 days before public disclosure to allow us to patch and notify affected users. We will work in good faith to meet or shorten this window where reasonable.
  • Credit in release notes unless you prefer to remain anonymous
  • No legal action against researchers acting in good faith under this policy (see Safe Harbor below)

Severity Levels

Level Response SLA Examples
Critical (P0) Patch < 48h Auth bypass, RCE, mass data exposure
High (P1) Patch < 7d Privilege escalation, XSS in authenticated flow
Medium (P2) Patch < 30d CSRF in non-mutating flow, info disclosure (non-PII)
Low (P3) Patch < 90d Missing security headers, verbose error messages

Scope

In Scope

  • https://nalarix.id/* (production)
  • Authentication flow (Google OAuth, session handling)
  • Admin area (/admin/*) privilege checks
  • API endpoints (/api/*)
  • Payment flow integration (our side; Midtrans is separate)
  • Review tool (review-tool-server/)
  • Infrastructure (nginx config, systemd units) if reachable via nalarix.id

Out of Scope

  • Social engineering against the owner, team, or customers
  • DDoS or volumetric attacks
  • Physical attacks on VPS
  • Third-party services (Google, Midtrans, Hostinger) — report directly to them
  • Vulnerabilities in outdated browsers (< last 2 major versions)
  • Self-XSS or issues requiring full target compromise first
  • Rate limiting absence on public informational pages
  • Missing best-practice headers when compensating controls exist

Safe Harbor

We consider security research and vulnerability reporting under this policy authorized and lawful, provided you:

  • Make a good faith effort to avoid privacy violations and service disruption
  • Do not access, modify, or destroy data beyond what is necessary to demonstrate the vulnerability
  • Do not use the vulnerability to impact other users
  • Do not publicly disclose before we have had a reasonable chance to patch (see 90-day window)
  • Do not violate Indonesian law in the course of research

Threat Model Summary (STRIDE)

Threat Surface Mitigation
Spoofing Auth, session Google OAuth (no passwords), secure JWE cookies
Tampering API, DB Prisma parameterized queries, CSRF tokens, role checks via requireAdminAccess()
Repudiation Admin actions AdminAuditLog transactional writes for every mutation
Information disclosure DB, logs DB bind 127.0.0.1, TLS 1.2+1.3, no PII in logs, .env outside repo
Denial of service Public endpoints nginx rate limiting on sensitive routes, connection limits
Elevation of privilege Admin routes requireAdminAccess(module, action) permission matrix, proxy gate + layout gate + action gate (defense in depth)

Known Security Posture

  • TLS 1.2 + TLS 1.3 enabled; TLS 1.0/1.1 disabled; TLS 1.3-only enforcement is tracked for 30 days post-launch
  • HSTS enabled with one-week max-age (604800), without includeSubDomains or preload
  • nginx version hidden (server_tokens off)
  • Next.js X-Powered-By header hidden
  • Security headers: X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy deny-by-default for camera/geolocation/microphone and payment limited to self
  • App server binds to 127.0.0.1:3000; nginx proxies from public HTTPS
  • Session cookies: HttpOnly, Secure, SameSite=Lax
  • CSRF protection via Auth.js
  • Content-Security-Policy: to be tightened (tracked)
  • Rate limiting on sensitive nginx routes and /uploads/: ✅ implemented; app-layer rate limiting remains tracked
  • Hidden file exposure: ✅ blocked via nginx dotfile deny while preserving .well-known/
  • Source map exposure: ✅ blocked via productionBrowserSourceMaps: false plus nginx .map deny
  • security.txt: ✅ published at /.well-known/security.txt (RFC 9116)
  • Admin audit log: ✅ implemented (ADR-0012 §M5)
  • App log rotation: ✅ automated via /etc/logrotate.d/nalarix
  • /etc/nalarix/secrets* file modes: ✅ guarded by cron safety net
  • fail2ban: ✅ [sshd] + [nalarix-auth] + [nalarix-rate-limit-scanner]
  • Auth session TTL: ✅ 14 days global via Auth.js JWT session maxAge
  • APP-001 settings-admin matrix: ✅ documented at docs/conventions/admin-actions-authz-matrix.md
  • Dependabot: ✅ weekly npm scan for root and nalarix-app
  • Full backup automation: ✅ daily 03:00 WIB to dedicated nalarix-backup:Nalarix Backups/ rclone remote; latest smoke artifact verified 2026-04-29
  • Backup encryption at rest: ✅ default FDE
  • Secrets rotation: annual + ad-hoc (D013)

Runtime posture references: ADR-0018 v2.4, docs/runbooks/0007-overnight-hardening-bundle.md, and docs/runbooks/0008-overnight-bundle-a-hardening.md, docs/runbooks/0009-overnight-bundle-b-hardening.md.

Known Weaknesses (Tracked)

These are known and being addressed; reports on these are welcome but prioritization may be deferred:

  • Content Security Policy is not yet restrictive
  • No automated rate limiting middleware on /api/* (launch-gate item)
  • No automated DAST (planned post-launch)
  • Dependabot is configured, but first GitHub-detected dependency PRs are pending
  • Backup test-restore drill artifact is still pending as the next R0b closure step

Out-of-Band Communication

If your finding is actively being exploited and you need an urgent channel, send an email with subject prefix [SECURITY-URGENT] — we monitor that prefix outside of normal hours.

Update Log

Version Date Change
1.1 2026-04-29 Post Runbook 0007 runtime posture correction.
1.2 2026-04-29 Runbook 0008 Bundle A: HSTS 1 week, hidden/source-map defense, security.txt, fail2ban nginx jails, Auth.js 14d TTL, APP-001 matrix, Dependabot baseline.
1.3 2026-04-29 Runbook 0009 Bundle B: backup automation, limit-req drift sync, /uploads/ rate limit, dev-login removal, allowedOrigins cleanup, JSON parsing consistency, TLS/nginx patch verification.

Version: 1.3 Last updated: 2026-04-29 Owner: Firyan Ainun Nusantara